Phishing Websites and How to Tackle Them

Phishing websites are on the rise.

Netcraft’s data shows a more than 37% increase in web-based phishing attacks from January 2021 to December 2024 — and a 67% increase from August 2024 to December 2024.

Unlike phishing emails that target your employees, phishing websites prey on your customers by impersonating your brand online. A major threat within the phishing ecosystem, these fake sites cause damage and disruption to individuals and organizations alike — and enable threat actors to extract value from your brand and intellectual property (IP).

Growth in Global Phishing

Unique IP Addresses with Blocked Phishing

Fig 1. Graph showing a steady increase in web-based phishing attacks detected by Netcraft between January 2021 and December 2024

What Is a Phishing Website?

Phishing websites mimic legitimate organizations by simulating a familiar user experience that tricks unsuspecting victims into believing it is genuine and safe to use.

Many threat actors use phishing websites to mislead victims into sharing personal and/or financial information, such as login credentials, payment card numbers, or bank account details. In other cases, they may deploy malware to steal information, log keys, or install ransomware.

Fig 2. Screenshot of a phishing website imitating the Netflix login page.

Phishing websites form part of the much wider online fraud landscape. In the UK last year, 77% of fraud cases originated from online sources. One in four (25%) victims who encountered online scams lost money as a result, with 21% being scammed out of £1,000 or more. In the same year, U.S. consumers and organizations lost $12.5 billion to online scams, a 22% increase in losses suffered in 2023 compared to 2022.

The fallout from phishing for any brand can include brand damage, loss of consumer trust, regulatory fines, surplus customer service costs, and, in some countries and industries, remediation costs to compensate victims for any losses. In the financial services industry, there’s increasing regulation (and demand) for banks and other organizations to reimburse customers who fall victim to cyberfraud, such as the recent UK mandatory reimbursement for authorized push payment (APP) fraud.

As the threat of phishing grows, including the introduction of artificial intelligence (AI) – which lowers the bar to entry for phishing, security leaders are identifying innovative solutions and technologies to combat it.

From March 2024 to March 2025, Netcraft disrupted 1.3 million phishing websites imitating more than 16,000 real-world organizations including some of the world’s biggest brands.

Fighting Back

How security leaders deploy an arsenal of defensive countermeasures to protect their brands and customers from the threat of phishing.

These countermeasures rely on a mix of automation — utilizing AI and machine learning — and specialist-led threat analysis and optimization. As the world’s largest takedown provider, Netcraft performs 33% of the world’s phishing website takedowns. We protect 700 organizations, including 17 of the world’s top 50 financial services institutions and the countless customers that use their services and products.

Disrupting and taking down phishing websites — strategically and at scale with a long-term partner — can incrementally lower the risk of these attacks by targeting them at the source. Scammers prey on vulnerability. Organizations that quickly and consistently find and disrupt attacks increase costs for threat actors, making them an unattractive target. The better that you defend your brand from phishing and fraud, the less likely that scammers will target your brand. This transforms your security function into a value driver, not a cost center — with measurable impact and ROI.

When that cost increases, criminals look to less resistant organizations — and attacks against your brand decrease over time. Netcraft’s clients have experienced this firsthand.

Using the Netcraft kill chain for phishing website attacks as an anchor point, this eBook can help you understand the motivations of threat actors, the specific tactics they use and their impact, and the underlying infrastructure that makes such activity possible. It also offers insight into how you can make your organization the least attractive target by tackling each phase of the phishing website lifecycle.

Lifecycle of a Phishing Attack

The below process outlines the lifecycle of a phishing website, illustrating the individuals and groups involved, tactics used, and flow of strategic phases that form the attack lifecycle. As with all cyber threats — and especially as malicious tradecraft and emerging technologies evolve, there are multiple scenarios by which attacks can unfold. The ones we explore here provide a general overview of phishing websites, which is explored in more depth in the following sections.

For a visual diagram of this lifecycle, see page 5 in the PDF version of this guide.

.5 Reconnaissance (Research)

.5) Threat actor gathers the intelligence needed to activate their attack.

1. Weaponization (Resource Development)

Organized cybercrime groups compromise vulnerable web servers and develop ready-to-use phishing kits.

• A) Threat actor acquires initial access to a compromised server. They may also purchase a phishing kit.

• B) Threat actor registers a new domain from a legitimate provider. They either purchase hosting or acquire free hosting via a subdomain.

Threat actor may build their attack using a phishing kit.

2. Delivery (Deployment)

Malicious website content is uploaded and deployed. Threat actor targets victims with phishing communications designed to lure them to the malicious website.

3. Exploitation (Victim Interface)

Victim visits the website and provides their personal information and/or credentials.

4. Exfiltration (Data Extraction)

Threat actor exfiltrates victim data. This gets stored as a log file on a local or external server.

5. Actions on Objections (Results)

One of the following next steps occur:

• A) Threat actor sells stolen credentials on the dark web.

• B) Threat actor uses stolen credentials to extract victim finances. They may evade detection by laundering these funds through complex mule systems.

6. Persistence (Continuity)

One of the following next steps occur:

• A) Phishing website is removed without revoking the threat actor's server access. Threat actor re-uploads content, reactivating the attack from the same URL.

• B) Server access is blocked. Threat actor changes hosting providers and continues their attack from the same web domain.

Understanding Phishing Websites In Depth

Phishing websites satisfy many threat actor motivations:

• Financial: To directly extract funds from a victim.

• Credential/Data Theft: To harvest information that can be sold on the dark web.

• Malware: To deploy malicious software on a victim’s device (including ransomware), which can be used for financial extortion.

• Cryptojacking: To utilize a victim’s computing resources for cryptomining.

Innovations in phishing, the introduction of AI, and organized cybercrime continue to drive increased phishing volumes around the globe.

• Low Barrier to Entry: Phishing doesn’t require advanced technical skills or significant financial resources. Basic computer knowledge and access to phishing kits are enough to deploy an effective campaign, allowing more criminals to enter the market.

• Profitability: Even small-scale phishing can yield meaningful returns if the criminal activity goes undetected, undisrupted, or is slow to be remediated.

• Rapid Evolution: Phishing tactics and techniques evolve rapidly — especially when combined with increased access to generative AI (GenAI) to create a never-ending game of cat and mouse.

The Phishing Website Ecosystem

With an estimated 5.35 billion users and 1.2 billion websites now online, the internet offers seemingly endless opportunities for criminals to satisfy their motives, financial or otherwise. Capitalizing on these resources is also becoming easier, as the complex cybercrime infrastructure that criminals require is easier to access and use than ever before.

Phishing Kits

Phishing kits (or, sometimes phishkits) are one of the most lucrative assets sold through the phishing marketplace. These archives contain everything a threat actor needs to create a phishing website, including HTML pages, PHP scripts, phishing emails, and images. They may also include hidden code that covertly sends a copy of any stolen credentials back to the kit developers, enabling them to benefit every time their kit is used.

The Phishing Marketplace

Unlike technically skilled, resource-rich criminals who develop their own methodologies and tradecraft, many of the threat actors responsible for phishing website attacks utilize existing resources. This enables them to acquire their means of attack while controlling their upfront investment outlay. It also means that anyone, regardless of their abilities and knowledge, can try their luck. A sophisticated black market allows them to gain access to compromised servers, user data, and phishing kits — all ready to use, with minimal effort from the buyer.

The Mule-as-a-Service (MaaS) Ecosystem

For threat actors motivated by extracting funds, a sophisticated financial network exists to help them cover their tracks.

Netcraft’s own research has uncovered an interconnected ecosystem of “mule” accounts being used to launder the money that criminals take from their victims in what we call “Muleas-a-Service” activity. In a financially motivated attack, threat actors can make use of this MaaS network to launder their scam proceeds through these money mule bank accounts, obfuscating the origin of their illicit gains and enabling them to secure their objectives.

Impact on Your Business

There are always at least two victims in a website phishing attack: the victim who falls prey to the threat actor’s campaign and the organization that is impersonated.

For the organization being impersonated, the cost of a phishing website can come in different forms:

Brand and Reputation Damage

• Within 6 months of a major cyber attack, 60% of small- and medium-sized businesses close, according to a report by Cybersecurity Ventures.

• A Forrester Research survey found that 59% of consumers would stop doing business with a company that experienced a data breach.

Customer Service Costs

• Phishing brand impersonation attacks can dramatically increase customer service costs by overwhelming support channels with inquiries from confused customers seeking to verify the authenticity of communications, resulting in longer handling times and additional training requirements for staff.

• An Osterman Research report has shown that each phishing incident can add more than 25 minutes of support time, costing around $31.32 per case.

Regulatory Fines and Penalties

• Data breaches that involve phishing can result in regulatory fines. For example, fines under the General Data Protection Regulation (GDPR) can reach up to 4% of an organization’s annual global turnover. For large organizations, this can mean millions of dollars.

Class Action Lawsuits

• Class action lawsuits against companies due to cybersecurity breaches affecting customers have become increasingly common in recent years. In 2023, there was a significant surge in such legal actions, with 1,320 data breach class actions filed—nearly triple the number from the previous year. This upward trend continued throughout 2024, with nearly 1,500 class action suits for data breaches.

Insurance Costs

• Post-attack, many organizations often face increased costs for cybersecurity insurance premiums. A 2022 report by Marsh shows insurance premiums may rise by 20% to 30% for organizations with a history of breaches, including phishing.

Tackling Phishing Websites

Netcraft has tackled phishing head on for almost two decades, developing the means to detect, disable, and remove threats from the web via digital infrastructure takedowns. This counterattack requires a strategic approach that corresponds to each phase of the phishing website lifecycle. The core objective is to disrupt activity at a level that makes attacking an organization unprofitable for the threat actor. In short, we make brands and their customers unattractive targets for criminals.

Here is how this layered approach works in practice.

For a visual diagram of Netcraft's approach, see page 9 in the PDF version of this guide.

1. Weaponization (Resource Development)

Web Shell Hunting: Netcraft identifies and removes malicious web shells present on compromised servers to revoke threat actor's access before the server is even used.

Fraud Detection: Netcraft scans and monitors the internet for new, imitating domains, ready to take them down as they become active.

2. Delivery (Deployment)

Email Server Takedown: Netcraft collects and scans spam feeds to locate malicious mail servers, notifying mail server admins to cease further deployment.

3. Exploitation (Victim Interface)

Referrer Monitoring: Some phishing websites imitate brands by "hotlinking" to images and other content from the legitimate live source. Netcraft continuously injects referrer logs to detect this activity and flags it as linking takes place.

Phishing Website Takedown: Once detected by Netcraft, phishing sites are blocked and submitted to takedown, which disrupts malicious sites within minutes and removes them completely in hours.

Phishing Kit Takedown: Netcraft swiftly removes phishing kits - preventing redeployment, and analyzes them for insights to inform organizations about IP abuse.

4. Exfiltration (Data Extraction)

Log File Takedown: Netcraft ensures log file removal by notifying providers for local storage and taking down external servers, revoking threat actor access to victim credentials.

User Takedown: Netcraft hunts for and takes down any email addresses being used by threat actor to deploy lure messages, forcing threat actors to change tactics.

5. Actions on Objections (Results)

Deep and Dark Web Analysis: Netcraft searches leaked and stolen data for exfiltrated victim data. Organizations are notified, enabling them to lock down victim accounts or payment methods, preventing further losses and cutting off the threat actor's supply to the data they wish to monetize or otherwise exploit.

Netcraft Scam Intelligence: Netcraft uses AI chatbots to uncover criminal-controlled bank accounts, mule accounts, and crypto wallet addresses. Organizations can then flag or block payments to and from compromised accounts before transactions have occurred, mitigating risk exposure.

6. Persistence (Continuity)

Web Shell Takedown: Netcraft removes web shells, blocking attacker access and forcing them to restart or target another server, increasing their attack cost.

Host History Log Analysis: Netcraft monitors takedowns for 7 days, automatically restarting them if reinstated and contacting new hosts. For attacker-registered domains, we also request registrar suspension.

The Netcraft Difference

Netcraft takes down more than 3 million attacks each year across 120 different attack types. Netcraft delivers substantial attack reductions in absolute terms, as well as compared to the industry average. Over the last five years, attacks against Netcraft clients have fallen by 23%, compared to an increase of 56% in attacks against non-clients. This difference showcases the impact of consistent, best-in-class threat disruption. By increasing the cost to attack for criminals, brands that work with Netcraft experience significant ROI and reduced exposure.

Client Phishing Attack Volume

Non-Client Phishing Attack Volume

Delivering Clear ROI

Continuous Optimization

Intelligence improves visibility and response, enabling Netcraft to develop and deploy our solutions faster, with more precision, and on a greater scale. We combine technology and human-led training to leverage approximately 80,000 enabled rules over the past 20 years to identify phishing websites. Our technology helps us reduce the risk of false positives and increase the speed to identify even novel indicators. With new rules being developed, tested, and added every week, this speed and accuracy continues to increase.

QUANTIFY THE IMPACT: See how automated disruption delivers up to 16x ROI in our ROI E-Book. Read Now >

Shifting Left: Early Threat Detection

Detecting threats fast and at any scale enables the best defenses to be deployed without unnecessary delay. Detection is also a key tactic in understanding threats in detail, which can provide valuable intelligence for your security strategy and help you improve your security posture. Netcraft ingests threat data from 23 billion data sources each year from public and proprietary sources. Our scale is unrivaled, enabling us to identify and classify more phishing websites faster and more accurately than anyone else.

Proactive Disruption

Deployed in real time when a legitimate threat is identified, proactive blocking and takedowns disrupt and remove threats at a speed and scale that deliver measurable ROI. Our approach terminates illegitimate use of your IP in a timely manner, lessening the impact on your brand, organization, and customers. On average, Netcraft blocks phishing attacks in less than 5 minutes and takes down malicious content within 4 hours. Of the automated phishing takedowns that Netcraft deploys, 73% have their first outage within 24 hours. More than 75% of our takedowns are enabled through custom APIs or direct contact points with the largest infrastructure providers, ensuring Netcraft threat reports are prioritized.

Taking the First Steps Forward

Phishing websites pose a risk to every known brand, no matter how small or unique. Whether you’re a global bank or a niche, local media outlet, your brand has value that can be extracted and used maliciously. While you may not be able to completely eradicate this threat, you can make it harder for criminals to target your organization. By making your organization an unattractive target, you force the threat elsewhere.

The barrier to entry for phishing websites will continue to lower, introducing more cybercriminals into the market. We also know that emerging technologies will continue to be used to create efficiencies and make these attacks more impactful. For example, Netcraft has already seen an increase in the use of large language models (LLMs) to expedite and optimize the production of phishing content.

The diagrams included in this eBook demonstrate how phishing attacks work and how they can be stopped. Here are some recommendations to help you act now.

Become an Authority on Phishing Websites and Their Impact

Understand more about the threat that phishing websites pose to your organization.

• Consider how phishing websites may negatively impact your organization.

• From brand damage to regulatory fines, where are the biggest risks and how might they threaten business continuity?

• What value can be extracted from the perception your customers have about the services you offer and your brand recognition?

• How might your brand and IP be imitated or used for criminal gain?

Educate Your Organization

Investment needs advocacy. And, with security, everyone is a stakeholder.

Educate your organization to gain the support you need to develop and deliver a phishing takedown strategy. Once you secure this support with cross-departmental knowledge and awareness, you are better equipped to tackle the threat with complete buy-in from the various stakeholders and departments necessary for success.

Assess Solutions with Insight

The security marketplace is noisy and must be navigated with a sense of the outcomes you want to achieve.

Conflation, hyperbole, and AI-washing exist everywhere — and the anti-phishing website space is no exception. Be sure to clarify the outcomes that providers stipulate in their offering. Do their success numbers pertain to blocking or takedowns? What specific machine learning and AI technologies are they using and how?

About Netcraft

Netcraft takes down more than 33% of the world’s phishing attacks. With more than 20 years of experience, the largest proprietary dataset, and a continuously evolving detection and classification engine, we identify and remove the threats others overlook. We’ve earned the trust of the world’s top brands and enterprise technology providers. They know us as the leader in online scam takedowns, providing the fastest, most accurate brand and IP protection. See the platform in action by scheduling a live demo.

Frequently Asked Questions